Top Security Tips for Your WordPress Site
securing your blog is not an easy task, however at the same time it doesn’t have to be a complicated task and should be one that you take very seriously. If you’re doing any level of business or you plan to grow your blog and you haven’t considered security yet, then now is the time to sit down and make things happen.
The last thing you want to do is put tons of time and effort into a system only to lose it all because you didn’t take some simple precautions that can take under less than an hour to implement. Below is a list of some of the top security tips you can implement on your blog.
- Don’t Invite Attacks
- Backup Your Entire Site
- User Credentials
- Limit File System Access
- Use Quality Code
- Use Secure Channels
- Harden Your Admin
- Hacker Troubleshooting
Don’t Invite Attacks
This is probably the biggest overlooked security advice anyone can offer and many times can go much further than any technical implementation suggested. The main idea here is to not invite attacks to your site. That simply means being respectful, showing respect, and just plain out being a nice man or woman. Keep your online reputation to its highest and avoid offensive communication that could invite any type of attack. Sometimes these attacks can come in the form of a denial of service attack. This is where an attacker floods your server and nobody else can surf your site, which has happened to many politicians and individuals who offended somebody through deed or action.
It is also important to watch any claims you make or sponsor. Don’t make claims that your site is super secure or that you have yet to be penetrated. This is just asking for an attack or in some cases a challenge. Leaving rude or unthought-out responses in any type of electrical format that can be used against you later on is, something you should avoid at all costs. The old proverb, “do unto others as you would have them do unto you,” should ring loud in your life on the grid and should always be in the back of your mind.
Backup Backup Backup…
Be sure that you not only back up all your files, but your entire database on a frequent basis. Make sure this backup resides somewhere else than where your actual site is located. A backup can also serve well if your site does get hacked and you need to restore it to a pre-hacked state. There are lots of plug-ins on the market that can do this, but be sure the plug-in supports both your database and your file system. If you’re interested in a free plug-in, we have one that will work for you. It’s written by the great folks right here at LifeInTheGrid.com and is called the Duplicator.
The username, ‘admin’ should be removed completely. This is the common administrator username for WordPress and is an easy guess for most hackers. All passwords should have the following characteristics:
- at least eight characters in length
- contain a special character, such as (%, @, !)
- contain a number
- contain an upper and lower case letter
Limit File System Access
Don’t allow your Web server to serve up anything but individual files such as images, css, js and php files. By default on most web servers, if the file index.html or index.php is not inside a directory, then the web server will list the directory and other files inside that path. To avoid this, simply add the following line of code to your (/your-worpress-root/.htaccess) file that resides in the root of your WordPress site.
- Options All -Indexes
Furthermore you should lock down your wp-content directory to only serve up the necessary web files. Place the following snippet below in your (/your-worpress-root/wp-content/.htaccess) file. Again, if its not there then just create the .htaccess file.
Order Allow,Deny Deny from all <FILES ~ "\.(jpeg|jpg|gif|png|js|css|ico|php|xml)$"> Allow from all </FILES>
Use Quality Code
When working with any code that is not part of the core WordPress system, always use extra caution as to whether you will use it or not. Read all the reviews and even do a Google search to see what people are saying about the plug-in or theme. It is highly recommended that you have a localhost version of your WordPress installed, this way you can test the plug-in locally in a development environment before pushing it to a production environment.
Every plug-in and theme that you install creates additional access points for hackers to attempt to get into your system. If you’re not using a theme or plug-in then don’t have it on your production system (don’t even leave it deactivated). When a new WordPress update comes out it’s recommended to update sooner than later. While most updates from WordPress are pretty solid, it’s still a good idea to test the new update locally then push to your production site.
Use Secure Channels
Anytime you send security credentials or login to a system, your credentials are not encrypted. This is unless your using an encrypted protocol and any potential hacker has the ability to easily see your login and password. So when you transfer files (FTP) or login to your WordPress administrator you should do it over a secure channel such as SSL or SSH. Below are a few good tips to use when you use your credentials to sign into any part of your WordPress site.
Logging into the administrator
The following setting can be used in your wp-config.php file, but only works if the server your WordPress site resides on supports SSL.
- define(`FORCE_SSL_LOGIN´, true);
When Using FTP
If you’re using an FTP program such as FileZilla and your hosting provider supports SFTP (secure FTP) then be sure to enable it. Don’t get lazy and plan to do it sometime, just do it now and set your mind at peace. The process is super simple, by configuring your settings to always use it you can be secure with every transfer from here on out. See the picture below for an example of where to set this in FileZilla.
If you’re using a default remote directory to drill down into your theme folder or WordPress site, then you might have to change this for SFTP since some hosting providers have this mapped a little bit differently.
Harden Your Admin
Your wp-admin directory is very important in that it actually contains a deeper penetration into your database and file system. Therefore, it’s important that none of the files in this directory can be accessed apart from required users. This can easily be done by editing the .htaccess file located in your wp-admin directory (If it doesn’t exist just create one). Add the following to the file where every ‘allow from’ is a location that you will be browsing to from your WordPress administrator. If you need to browse outside of these IP ranges, just SFTP into your hosting account from wherever you are and add your current IP to the list. Here is what your current IP is.
AuthName “Access Control”
deny from allthe
# whitelist work IP address
allow from 18.104.22.168 #My House
allow from 22.214.171.124 #My Hostspot
allow from 126.96.36.199 #My Work
If your site does get hacked and you follow the advice in the backup section above, then you should be able to restore your site to a pre-hacked state. There are a couple ways to see where and how you got hacked and most of those signs will appear in your database or in your file system. We’ll run through two ways to check both.
Assuming you have a snapshot of your file system before it was hacked, you can find out which files changed or which files were added by doing a comparison of the snapshot in your currently hacked system. Just download a copy of UltraCompare (use free trial if you need) and compare the snapshot versions. If you want to just compare the differences of a single file, you can use a tool such as DiffMerge or UltraEdit.
To see where a database entry may have gotten hacked you can easily export your database into a file, then grab a copy of your pre-hacked database exported file (good backup plug-ins will support generating this file, see Duplicator) and compare the following files with either of these tools (DiffMerge or UltraEdit).
- Hardening WordPress wordpress.org
- Changing File Permissions wordpress.org
- Apache Security apache.org
- Linux File Permissions tuxfiles.org
Evolving Article: The following article is an evolving article, meaning it is continually improving and new content is continually being added. Bookmark to this article to revisit and catchup on the newest updates. Version 1.1